Service access

ABSTRACT

A method for providing access to a service for a user in a communication system, comprising the steps of: using a specific record associated with said user, at a node in the communication system, containing information which, determines that a user is to be verified prior to providing access to said service.

The present invention relates to a method and apparatus for providingaccess to a service. In particular, but not exclusively, the presentinvention provides a user of mobile user equipment in a wirelesscommunication system with access to internet multimedia services.

The introduction of Third Generation (3G) communication systems willsignificantly increase the possibilities for accessing services on theinternet via mobile user equipment (UE).

Various user equipment (UE) such as computers (fixed or portable),mobile telephones, personal data assistants or organisers and so on areknown to the skilled person and can be used to access the internet toobtain services. Mobile user equipment referred to as a mobile station(MS) can be defined as a means that is capable of communication via awireless interface with another device such as a base station of amobile telecommunication network or any other station. Such a mobileuser equipment can be adapted for voice, text message or datacommunication via the wireless interface.

The term “service” used above and hereinafter will be understood tobroadly cover any service or goods which a user may desire, require orbe provided with. The term also will be understood to cover theprovision of complimentary services. In particular, but not exclusively,the term “service” will be understood to include internet multimediaservices (IMS), conferencing, telephony, gaming, , rich call, presence,e-commerce and instant messaging.

The 3G Partnership Project (3GPP) is defining a reference architecturefor the Universal Mobile Telecommunication System (UMTS) core networkwhich will provide the users of UE with access to these services. ThisUMTS core network is divided into three principal domains. These are theCircuit Switched domain, the Packet Switched domain and the InternetProtocol Multimedia (IM) domain.

The latter of these, the IM domain, makes sure that multimedia servicesare adequately managed. The IM domain supports the Session InitiationProtocol (SIP) as developed by the Internet Engineering Task Force(IETF).

SIP is an application layer signalling protocol for starting, changingand ending user sessions. A session may, for example, be a two-waytelephone call or multi-way conference session. The establishment ofthese sessions enables a user to be provided with the services abovementioned. One of the basic features of SIP is that the protocol enablespersonal mobility of a user using mobile UE by providing the capabilityto reach a called party via a single location independent address.

In view of this high level of mobility it is important to provide a wayfor users to indicate to a service provider that they are entitled to beprovided with a service. In this sense internet service providers(ISP's) and mobile operators require user authentication, authorisationand accounting (AAA) when granting access to network resources. Certainwell-established authentication mechanisms, such as DIAMETER, have beendeveloped and are usable with SIP for verifying that a user is permittedto access the service.

The communication system will include many component parts including alocal serving network, where the UE is located, a home network and anSIP network which is an overlay to the packet switched (PS) domain. TheIM domain in 3GPP includes a number of different entities including aproxy call state control function (P-CSCF) which is the UE point ofcontact in the serving (visiting) network. It is this point where thenetwork places constraints on the bearer supporting the session. P-CSCFcorresponds to a SIP proxy in the general SIP framework. The IM domainalso includes a serving call state control function (S-CSCF) which islocated in the home network of the user and which is responsible foridentifying the user's service privileges. S-CSCF corresponds to a SIPregistrar in the general SIP framework. The S-CSCF selects and providesaccess to the home network provides authentication, authorisation andaccounting home server (AAA-H) which provides authentication,authorisation and accounting checking. In addition the IM domainincludes at least one interrogating call state control function (I-CSCF)which locates the S-CSCF upon a request for registration by the UE.I-CSCF may use AAA-H server for locating the S-CSCF. I-CSCF correspondsto a SIP proxy in the general SIP framework.

When a user registers to the SIP network verification of a user'sauthenticity and/or authorisation to receive services is carried outafter which point in time access to services may be permitted.

However, SIP does not require the user to register to the network beforeit can request service. Therefore, it is possible that the networkperforms authentication and/or authorization in the beginning of the SIPsession initialization.

In order to help maintain an acceptably high level of security in thecommunication system it is advantageous to ensure that the authenticityand/or authorisation of a user is verified at predetermined intervals oron the occurrence of predetermined events. For example whenever an SIPsession is initiated. Earlier, in order to do a check, the informationrequired to carry out this check has been stored in the Home network ofthe user in the AAA-H. Therefore a roundtrip of messaging signals to theAAA-H has been required which can be time consuming and has lead toundue delay in the provision of services. Additionally if a check ismade for every SIP session a large load is placed on the communicationsystem to enable sufficient communication links and/or bandwidth to beallocated to enable this to be carried out. Especially, this isproblematic in wireless networks where the bandwidth may be very limitedin the air interface.

It is an aim of embodiments of the present invention to at least partlymitigate the above-referenced problems.

According to a first aspect of the present invention there is provided amethod for providing access to a service for a user in a communicationsystem, comprising the steps of: storing a specific record, associatedwith said user, at a node in the communication system, containinginformation which, that a user is to be verified prior to providingaccess to said service.

According to a second aspect of the present invention there is provideda method for providing a user of user equipment with access to a servicefrom a service provider node in a wireless communication system,comprising the steps of, using a user specific record indicating acondition which, if satisfied, determines that a user characteristic isto be verified prior to providing access to said service; and providingaccess to said service responsive to said user specific record.

According to a third aspect of the present invention there is provided aserver node of a communication system for providing a user or userequipment with access to a service from a service provider node, saidserver node comprising: means for receiving a message from said userequipment; means for using a user specific record, associated with saiduser, indicating a condition which, if satisfied, determines that a usercharacteristic is to be verified prior to providing said user withaccess to said a service.

According to a fourth aspect of the present invention there is providedmobile user equipment, for providing a user with access to a servicefrom a service provider node, comprising: means for using a userspecific record associated with said user, indicating a condition which,if satisfied, determines that a user characteristic is to be verifiedprior to providing said user with access to said a service; and meansfor generating, in response to said user specific record, an accessmessage for providing said user with access to said service.

Embodiments of the present invention provide the advantage that theuser's validity to be provided with a service is verified at least at apredetermined frequency to ensure that a user is duly authorised and/orauthentic. This is done in a manner which reduces the load/volume oftraffic on the communication system and also reduces the delay inproviding such verification compared to prior art systems.

For a better understanding of the present invention reference will nowbe made, by way of example only, to the accompanying drawings in which:

FIG. 1 illustrates a partial IP multimedia architecture;

FIG. 2 illustrates conventional access authentication;

FIG. 3 illustrates a procedure for verification of a user;

FIG. 4 illustrates the transfer of a user specific record;

FIG. 5 illustrates a process for providing access to a service;

FIG. 6 illustrates a mobile station.

FIG. 7 illustrates an alternative Registration process; and

FIG. 8 illustrates an INVITE process with authorisation and/orauthentication.

FIG. 9 illustrates an INVITE process without authorisation and/orauthentication from the AAA-H. In the drawings like reference numeralsrefer to like parts.

FIG. 1 illustrates a partial internet protocol (IP) multimedia networkarchitecture. A mobile station (MS) 100 can be a mobile telephone or alaptop computer which has a radio modem or a fax adapted for radioaccess. The term MS is used here as an example of mobile user equipment(UE). This communicates with the Universal Mobile TelecommunicationSystem (UMTS) Radio Access Network (UTRAN) 110 over the radio interface(U_(m)). The UTRAN includes a network element node B, which providesequipment for transmission and reception of messages and mayadditionally include ciphering equipment. This communicates with a radionetwork controller (RNC) 110 as is known in the art.

The RNC 110 sets up the radio channels for signalling to the corenetwork node 112 which may comprise a serving General Packet RadioService GPRS support node (SGSN). The signalling occurs over the I_(u)interface. The SGSN provides the network access node and mobilitymanagement functions. The node 112 is essentially a switching node whichcan perform connection management, mobility management andauthentication activities. The core network node 112 is connected to thegateway GPRS support node (GGSN) 114 via the G_(n) interface. The GGSNprovides access, via the G_(i) interface, to the services area 116 overIP packet data networks such as the internet and internet serviceproviders (ISP).

The call state control function (CSCF) 118 supports and controlssessions during which the UE obtains IMS services from the services area116. In addition, CSCF may consist of Proxy, Interrogating and ServingCSCFs as described earlier. The CSCF provides flexibility to modify, addor erase bearers used by the users services as will be discussed in moredetail hereinafter. Amongst other functions the CSCF 118 controls callfunctions, thus executes call setup, modification and termination andperforms address handling. The CSCF accesses the Home Subscriber Server(HSS) 120 via the CX interface. The HSS is a master server containingdata relating to a particular user. It contains data relating to aspecific user which can identify how call services are to be carried outand authentication and authorization information. The HSS is located inthe home network of the UE user which may be some distance from thelocation of the UE, which is serviced by a local (visited) network. TheHSS is connected to the SGSN 114 and GGSN via the G_(r) and G_(c)interfaces respectively.

In order to provide access to internet and other IM services to users,protocols have been developed to assist in providing telephony servicesacross the internet. The session initiation protocol (SIP) is one suchprotocol which has been developed for controlling the creation,modification and termination of sessions with one or more parties. Thecall sessions may include internet or other IP network telephone calls,conferences or other multimedia activities.

SIP addressing follows the popular internet convention of identifying auser by a unique address using Uniform Resource Locators (URL's). SIPsignalling between two users consists of a series of requests andresponses. A SIP transaction has dual parties, the user agent client(UAC) who sends a request and a user agent server (UAS) who responds inreply to the request. The client and server comprise the SIP user agent.In addition to this SIP includes the SIP network server which is thenetwork device/s which handle signalling associated with multiple calls.

As is known in the art an SIP invitation typically includes twomessages. It will be understood that there may be more messages thanonly these and that, in fact, in 3GPP there are more messages used.These are not discussed herein for the sake of brevity. The two messagesare an INVITE, initiated by the caller UAC and a 200 OK message from thecallee. This latter message is typically acknowledged by the callerafter which stage the parties may communicate according to parameterssent and received during signalling. Both caller and callee can end asession by executing a BYE message. During an established session a newset of parameters may be selected by either participant producing afurther INVITE message or by using some other SIP message.

SIP also provides for registration which enables a user to bereached/contacted. SIP clients register themselves with thecommunication system using a REGISTER message which requests aredirected to SIP servers termed Registrars in the SIP network.

The SIP Network includes proxies and other server nodes which may beincluded in other elements of the communication system or may compriseseparate elements. FIG. 2 illustrates the registration system.

The UE 100 which may comprise the UAC issues a register message REG, toa proxy-call state control function (P-CSCF) node 200. This is the UEpoint of contact in the serving network of the communication systemwhere the UE is located. The P-CSCF 200 directs the call to the homenetwork of the user of the UE 100. The P-CSCF node 200 issues a registermessage REG₂ to the interrogating CSCF (I-CSCF) 202. This networkelement is located in the home network of the communication system anddirects the registration request to the serving CSCF (S-CSCF) 204 with aregistration request REG₃. I-CSCF may interrogate the HSS for locatingthe S-CSCF. The S-CSCF acts as a Registrar network element andidentifies the service privileges of the user requesting registration.Once these have been identified the registration is completed with aflow of 200 OK messages from the S-CSCF 204 to the I-CSCF 202, to thePCSCF 200 and to the UE 100.

It will be understood that it is important for the recipient of an SIPmessage to be able to confirm that the caller is who he is holdinghimself out to be. Also in the case of internet service providers (ISP)it is important that the ISP's can verify that the caller is dulyauthorised to access the required services and/or that he can pay forthose services. In this sense ISP's are said to require AAA, userauthorisation, authentication and accounting when granting access totheir network resources.

Accounting is the act of collecting information on resource usage forthe purpose of trend analysis, auditing, billing, or cost allocation.Authentication is the act of verifying a claimed identity, in the formof a pre-existing label from a mutually known name space, as theoriginator of a message (message authentication) or as the end-point ofa channel (entity authentication). Authorisation is the act ofdetermining if a particular right, such as access to some resource; canbe granted to the presenter of a particular credential.

FIG. 3 illustrates how AAA can be achieved using an authenticationmechanism requiring accessing data stored in the AAA-H. The UE 100issues a register message 300 to the local proxy 200. A local proxy is aproxy that may exist within the same administrative domain as thenetwork device that issued the register via the REGISTER message.Typically a local proxy is used to multiplex AAA messages to and from alarge number of network devices, and may implement policy. The localproxy 200 issues a register message 302 to the Registrar node, (whichmay be directed via an I-CSCF as noted above). In response to theregister message 302 the Registrar 204 enquires, with message 304, froma server 306, which is associated with the home AAA server, about thecaller's status. In the case of an as yet unauthorised caller the server306 responds with an unauthorised message 308 which acts as a servercreated challenge. The server 204 signals an unauthorised message 310 tothe proxy 200. The proxy returns a proxy authentication required message312 to the UE which indicates a failure response. The header of thismessage describes an authentication scheme and server challenge. Inreply the UE 100 creates a new request with a header field describingits authentication details. These are sent to the Registrar 204 via theproxy server 200 as messages 314 and 316. These may be used to updatethe server via message 318 which returns a response to the registrarserver 204 and then 200 OK messages 322 and 324 to the proxy server andUE respectively created by the nodes 204 and 200. The server 306 mayprovide the required authentication and/authorization informationalready in the message 308 in which case the messages 318 and 320 maynot be needed.

It will be appreciated that every time a user or the user equipment 100requires a service, an authorisation and/or authentication request, forverifying the user accessing data stored in the AAA-H server of the homenetwork, is required. This leads to a delay in providing theverification and to the requirement for a multitude of messaging signalsto be generated and transmitted in the communication system. FIG. 4illustrates how a user characteristic, such as authorisation and/orauthenticity, can be verified at a rate which provides an acceptablelevel of security whilst reducing the delay prior to obtaining theverification and reducing the number of messaging signals required. Whenmobile user equipment 100 seeks to register or initiates a service withthe communication system this request message 400 is transmitted to theP-CSCF server 200. Message 402 is transmitted from the P-CSCF to theS-CSCF 204 (this may, for example, be via an I-CSCF although this is notshown in FIG. 4 for the sake of brevity). The AAA-H which is situated inhome network to which the S-CSCF has access, thereafter carries out theauthentication/authorisation process illustrated in FIG. 3. This isindicated by the exchange of messages 404. In addition an authorisationand authentication profile is transmitted with message 406 from theAAA-H to the S-CSCF 204 or to the P-CSCF 200. It will be understood thatin accordance with embodiments described hereinafter the profile couldbe sent directly to the P-CSCF from the AAA infrastructure withouttransferring via the Registrar (S-CSCF). This is shown in the FIGS. 7and 8. In such examples the home network nodes I-CSCF and S-SCSF do notneed to be contacted during Registration or session initiation. Once theprofile is downloaded to the P-CSCF or S-CSCF the AAA-H does not need tobe contacted in every registration or session initiation. Theauthorisation and authentication profile includes data associated withthe user of the user equipment registering or initiating session. Theinformation contained in the profile is specific to that user andincludes a record detailing when the SIP network must contact the AAA-Hserver prior to permitting that user to access services from a serviceprovider node and in addition to the profile, home network may alsoprovide information to the serving element which allows the servingelement, e.g. S-CSCF, to authorise and/or authenticate the user directlywithout contacting the home network, i.e. AAA-H. The user specificrecord (or profile) can indicate any predetermined rate or frequency orevent at which reference must be made to the AAA-H. This rate can varyfrom anything between never having to authenticate and/or authorise theuser prior to providing the service, to the other extreme of having toauthenticate and/or authorise the user to access a service for everysession between the user equipment and a service provider node. Someother alternatives are that every Nth session must be authenticatedand/or authorised, only certain types of sessions, e.g. multimedia, needto be authenticated and/or authorised, authentication and/orauthorisation is needed only at a certain time of day, authenticationand/or authorisation is needed for sessions if more than N seconds havepassed from the previous authentication and/or authorisation. Inembodiments of the present invention authentication and/or authorisationis needed when a certain number of sessions are ongoing simultaneously.Alternatively authentication and/or authorisation is needed if the useris served by certain predetermined networks. Alternativelyauthentication and/or authorisation is needed if the user is roamingoutside the home network. In this sense the user specific recordindicates a condition which if satisfied determines that a usercharacteristic, such as for example the authenticity or authorisation ofthe user, must be verified before access to the service requested by auser may be provided. Once this user specific record has beentransmitted from the AAA-H to the S-CSCF (or directly to P-CSCF.)reference to the record may be made every time a user registers orre-registers to the network or when every session initialisation iscarried out or periodically based on some timer criteria. Thereafter ifthe condition, indicating that authentication and/or authorisation isrequired is not satisfied then access to the service may beautomatically provided by the service provider without the requirementfor reference to be made to the AAA-H. By setting the frequency/rate atwhich reference to the AAA-H should be made an acceptable level ofsecurity can be attained whilst improving the efficiency of the system.The efficiency can be improved by reducing the amount of signallingtraffic required in the communication system to access the AAA-H.Alternatively embodiments of the present invention reduce the delay inproviding the user with access to the services since the requiredsignalling is reduced. In case the home network nodes, e.g. S-CSCF andAAA-H, does not necessarily be in the signalling path, the time delaysin transmitting and receiving the required messaging signals may be evenobviated.

It will be understood by those skilled in the art that the presentinvention is not limited to the condition indicated by the user specificrecord as noted hereinabove. Rather any rate or event could be selectedfor determining when the user authorisation and/or authentication shouldbe verified before access to a required service is provided.

FIG. 5 illustrates how the method according to an embodiment of thepresent invention may operate. At step S501 the procedure is initiated.This may occur when the user initially registers to the network or as analternative when session initialisation is begun. The skilled man willunderstand that the procedure may be begun at any other appropriatetime. At step S503 the session number M is set to one to indicate thatthis is the first call session. It will be understood that the inclusionof the steps referring to the setting and counting of the session numberM are not essential to the present invention. At step S505 a check ismade to see whether a condition is satisfied. By way of example in thisembodiment the condition which must be satisfied is that authorisationand authentication is verified every Mth session. Since this is thefirst session the condition is not satisfied since M indicating thesession number is one. Thereafter a message may be generated by theP-CSCF which can be used to instruct the ISP to provide the user withaccess to the required service. This is step S507. After step S507 acheck is carried out to determine whether the call session has ended.This could be for example when the user wished to end a call sessionwith the issuance of a BYE message this is step S509. If the session isended the procedure stops at step S511. If the session is not ended thenthe session number M is incremented by one at step S513 and the processis repeated. Once the session number M has been incremented to N thecheck at step S505 whether the condition is satisfied will be positive.When the condition is met a user characteristic such as theauthentication or authorisation of the user to be provided access to theservices is checked at step S515 and the question of whether theauthorised and/or authenticated to access the service is determined atstep S517. Access is provided at step S507 if the verification procedureindicates that the user may be provided with the service whilst at stepS5019 a failure of the user to be authorised and or authenticatedresults in the denial of access to the service provided by the SIP.

FIG. 7 illustrates how, according to further embodiments of the presentinvention, the Registration process of a mobile station 100 may takeplace without reference messages being required to the I-CSCF 202 or theS-CSCF 204. The mobile station 100 sends and receives messages from theP-CSCF 200 over link 700 which will be initiated by a REGISTER message.Upon receipt of the REGISTER message the P-CSCF 200 issues an AAArequest message 702 to an AAA function node (AAA-F) 704 in the visitednetwork 710. The node 704 includes functionality for receiving andtransmitting messaging signals from the P-CSCF to further AAAinfrastructure in the system. AAA-F node may have some functionality forperforming local decisions such as whether it authorizes the access tothe user. The AAA-F node 704 transmits an AAA request message 706 to anAAA proxy 708 which contacts an AAA proxy 712 in the home network 720 ofthe user 100. This is illustrated by message 714. The AAA proxy 712transmits an AAA request message 716 to the AAA-H server. An AAA answer718 which includes the AAA profile of the user of the MS 100 is returnedfrom the AAA-H via the AAA proxy servers 708 and 712 and via message722. The AAA proxy 708 returns the AAA profile via message 724 to theAAA function node 704 which directs the profile via message 726 to theP-CSCF. The P-CSCF 200 can store the authorisation profile so thatsubsequent requests do not require access to the AAA-H as abovedescribed. It is noted that the AAA infrastructure used in the exampleFIG. 7 may have different configurations in different networks.

FIG. 8 illustrates how an INVITE process can be carried out inaccordance with embodiments of the present invention. The INVITE message800 is transmitted from the MS 100 to the P-CSCF 200. Thereafter a userprofile can be transferred from the AAA-H back to the P-CSCF asdescribed in relation to FIG. 7. Once the P-CSCF has received the userprofile authentication and/or authorisation messages can be transmittedto the MS 100 via message 802. The MS responses the authenticationand/or authorisation message with the response to a possible challenge.After the MS has been authenticated and/or authorised, which may requireanother roundtrip to the home AAA-H server, the P-CSCF 200 transmits anINVITE message 804 to mobile station 110′ which represents the callee inthe callee network 806. It will be understood that once the AAA userprofile has been transferred to the P-CSCF 200 subsequent requests fromthe MS 100 to invite callee 100′ can be made without reference to theAAA-H being made via the AAA infrastructure (704, 708, 712).

FIG. 9 illustrates an INVITE process without the requirement ofauthorisation and/or authentication from the AAA-H. This occurssubsequent to the process by which the user profile has been transferredto the P-CSCF 200. In this situation an INVITE message 900 is issuedfrom the MS 100 in the P-CSCF and subsequent to this verification anINVITE message 910 is transmitted to the callee 100′. This occurswithout the need for authorisation from any other network node.

It will be understood that in accordance with other embodiments of thepresent invention the verification of a user characteristic will becarried out upon the occurrence of other pre-determined events. Underthese conditions the method depicted in FIG. 5 would be modifiedaccordingly.

In accordance with embodiments of the present invention the userspecific record may be stored in a data store of the S-CSCF.

In accordance with embodiments of the present invention the userspecific record may be stored in a data store of the P-CSCF. Accordingto other embodiments the user specific record may be stored in the homenetwork of the communication system. It will be appreciated in thislatter case that the time delay effects above-referenced will not be asgreatly improved, however the provision of the user specific recordwhich indicates times or events when no authentication and/orauthorisation need to be carried out will nevertheless result in areduction in delay of providing a user with access to this service andto a reduction in the total number of messaging signals requiringgeneration, transmittal and receipt in the system. FIG. 6 illustrates amobile station 100 in which the user specific records may be stored inaccordance with further embodiments of the present invention. The mobilestation includes a display 605 and buttons 604,606 which together with amicrophone and ear piece (not shown) provide a portion of a userinterface. The mobile station is illustrated cut away (as shown byphantom line 608) to reveal a data storage unit 610 controlled viaprocessor and control means 612. The provision of the user specificrecord in the mobile station 100 results in an appreciable reduction inthe delays caused by having to verify the user characteristics prior toproviding a user with the service. It will be understood that thepresent invention is in no way limited to MS configured in this manner.

It will be appreciated by those skilled in the art that embodiments ofthe present could be applied to the provision of any SIP transaction,for example the re-registration or SIP based presence and instantmessaging services.

It will also be appreciated that embodiments of the present inventionare applicable to SIP and AAA infrastructure interoperation for exampleover the 3GPPIMS Cx interface.

Embodiments of the present invention provide a means by which thesignalling load between the home AAA ,SIP entities and the terminal canbe decreased. In addition the signalling delay can be reduced forsessions which do not require authentication and/or authorisation sincethe SIP entity, for example the SIP proxy, may be located in the visitednetwork far from the home network where the Home AAA is located.

1. A method for providing access to a service for a user in acommunication system, comprising the steps of: using a specific record,associated with said user, at a node in the communication system,containing information which, determines that a user is to be verifiedprior to providing access to said service.
 2. The method as claimed inclaim 1 further comprising the steps of: transferring said informationfrom the AAA-H to the serving node in the signalling path for theservice setup and/or service event and/or registration.
 3. The method asclaimed in claim 1 further comprising the steps of: deciding based onsaid information that the authentication and/or authorization needs beverified.
 4. The method as claimed in claim 1 further comprising thesteps of: performing the authentication and/or authorization.
 5. Themethod as claimed in claim 4 further comprising the steps of: performingthe authentication and/or authorization by using the AAA-H.
 6. Themethod as claimed in claim 4 further comprising the steps of: performingthe authentication and/or authorization in the node if the requiredparameters are available.
 7. A method for providing a user of userequipment with access to a service from a service provider node in awireless communication system, comprising the steps of: using a userspecific record indicating a condition which, if satisfied, determinesthat a user characteristic is to be verified prior to providing accessto said service; and providing access to said service responsive to saiduser specific record.
 8. The method as claimed in claim 7 furthercomprising the steps of: determining if said condition is satisfied; andproviding access to said service without verifying said usercharacteristic if said condition is not satisfied.
 9. The method asclaimed in claim 7 further comprising the steps of: determining if saidcondition is satisfied; verifying said user characteristic if saidcondition is satisfied; and subsequent to said step of verifying theuser characteristic providing access to said service if said usercharacteristic indicates the user is permitted access to said service.10. The method as claimed in claim 7 further comprising the steps of:determining if said condition is satisfied when a call session betweensaid user and said service provider node is initiated.
 11. The method asclaimed in claim 7 further comprising the steps of: determining from theuser specific record associated with said user if said condition existsduring a call session between said user equipment and said serviceprovider node.
 12. The method as claimed in claim 7 wherein saidwireless communication system comprises a serving network in which saiduser equipment is located, and a home network, said method furthercomprising the steps of: indicating, via said user specific record, whenaccess to said service is permitted without determining, from datastored at a node in said home network, if access is permitted.
 13. Themethod as claimed in claim 7 wherein said wireless communication systemcomprises a serving network in which said user equipment is located, anda home network, said method further comprising the step of: storing saiduser specific record at a node of said serving network.
 14. The methodas claimed in claim 7 further comprising the steps of: generating aregister message at said user equipment and transmitting said registermessage to a local server node of said communication system; determiningif a condition indicated by said user specific record stored at saidlocal server node is satisfied; generating an access message at saidlocal server node indicating that access to said service is permitted;and transmitting said access message to said service provider node. 15.The method as claimed in claim 14 further comprising: prior to said stepof storing said user specific record, generating a request message atsaid local server node and transmitting said request message to the homeAAA server of the user; and transferring data comprising said userspecific record from said home AAA server to said local server noderesponsive to said request message.
 16. The method as claimed in claim 7further comprising: generating an invite message at said user equipmentand transmitting said invite message to a local server node of saidcommunication system; determining if a condition indicated by said userspecific record stored at said local server node is satisfied;generating an access message at said local server node indicating thataccess to said service is permitted; and transmitting said accessmessage to said service provider node.
 17. The method as claimed inclaim 7 wherein said user characteristic comprises whether said user isauthorised to access said service.
 18. The method as claimed in claim 7wherein said user characteristic comprises whether said user isauthenticated to access said service.
 19. The method as claimed in claim7 wherein said condition determines the frequency at which said user isto be authorised and/or authenticated during a call session between saiduser equipment and said service provider node.
 20. The method as claimedin claim 1 wherein said step of using a specific record comprisesstoring a user specific record.
 21. A server node of a communicationsystem for providing a user of user equipment with access to a servicefrom a service provider node, said server node comprising: means forreceiving a message from said user equipment; means for using a userspecific record, associated with said user, indicating a conditionwhich, if satisfied, determines that a user characteristic is to beverified prior to providing said user with access to said a service; andmeans for generating, in response to said user specific record, anaccess message for providing said user with access to said service. 22.The server node as claimed in claim 21 further comprising: means fortransmitting said access message to a service provider node.
 23. Aserver node as claimed in claim 21 further comprising: means forreceiving data comprising said user specific record transmitted from ahome AAA server node.
 24. A server node as claimed in claim 21comprising a serving or proxy-call session control function node.
 25. Aserver node as claimed in claim 21 wherein said user specific recordcomprises a first data field identifying said user and a second datafield determining when authentication and/or authorisation of said useris required in order to access said service.
 26. The server node asclaimed in claim 21 wherein said means for using a user specific recordcomprises means for storing.
 27. Mobile user equipment, for providing auser with access to a service from a service provider node, comprising:means for using a user specific record associated with said user,indicating a condition which, if satisfied, determines that a usercharacteristic is to be verified prior to providing said user withaccess to said a service; and means for generating, in response to saiduser specific record, an access message for providing said user withaccess to said service.
 28. Mobile user equipment as claimed in claim 27wherein said means for using a user specific record comprises means forstoring a user specific record.